Exam SC-300 topic 3 question 28 discussion

Answer D. Configure permission classifications

This is from ChatGPT. To ensure that users can only provide consent to apps that require low impact permissions, you should: **D. Configure permission classifications.** By configuring permission classifications, you can categorize the permissions requested by applications into different levels of impact (e.g., low, medium, high). You can then configure policies that allow users to consent only to apps that require low impact permissions, ensuring that users cannot authorize apps that request higher-risk permissions without admin approval.

To ensure that users can only provide consent to apps that require low impact permissions, you should configure permission classifications in your Azure AD tenant. Configuring permission classifications allows you to classify the permissions requested by apps into different impact levels, such as low, medium, or high. By assigning the appropriate impact level to each permission, you can control which apps users are allowed to consent to based on the impact level of the requested permissions

Configure permission classifications for this...

The correct answer is D. Configure permission classifications. To ensure that the users can only provide consent to apps that require low impact permissions, you need to configure permission classifications in Azure AD. Permission classifications allow you to identify the impact that different permissions have according to your organization’s policies and risk evaluations.

D. Configure permission classifications: Azure AD allows you to classify the permissions requested by apps into three categories: low, medium, and high impact. By configuring these permission classifications, you can define which permissions fall into each category. This enables you to ensure that users can only provide consent to apps requesting permissions classified as "low impact." This approach helps control the level of access users can grant to apps, aligning with your requirement.

I go with D https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?pivots=portal

D looks like the better answer, when creating a custom app policy you need to define the Permissions Classification: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-app-consent-policies?pivots=ms-powershell. However this is overly complex as it seems the easiest thing to do is just select the radial to allow user consent to apps from trusted publishers, default impact is low. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?pivots=portal

I go with D https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?pivots=portal